User account menu

Turn Drupal 8 into an Identity Provider with SimpleSAMLphp

Site has moved

There is enough information available to help you turn a Drupal 7 installation into an Identity Provider (IdP) for Single Signon (SSO) and Single Logout (SLO). In fact that information will help you with accomplishing the same for Drupal 8. However, the amount of configuring that is involved to accomplish this might be too daunting for someone starting out on this venture.

The latter delivers a Drupal 7 module and a SimpleSAMLphp module written for Drupal 7 and instructions on how to configure these. They are the same modules used by the author of the blog post in the first link.

Brad Jones has programmed a module inspired by the work done by Steve Moitozo for Drupal 7 (Drupalauth module): saml_idp. This blog describes how to use saml_idp to turn your Drupal 8 installation into an IdP.

Preparation

The saml_idp module that will be installed with Composer depends on openid/php-openid, which in turn requires the PHP extension GMP to be installed. Most standard PHP installations do not include this extension. You may need to install it first. In my situation I used the Linux shell command:

sudo apt-get install php7.1-gmp

After restarting the webserver the module can be installed using Composer:

composer require drupal/saml_idp

The installation description for saml_idp advises you to run the post installation script. You can do this with Drush from the web root with the command:

drush ev 'Drupal\saml_idp\Install::postInstall()'

What this post installation script does is create the subdirectory /vendor/simplesamlphp/simplesamlphp/modules/drupalauth and in that subdirectory create an empty file with the name 'default_enable'.

Next an alias needs to be added onto the Drupal site's host information (the “sites-available” bit of apache2 or nginx) to alias /simplesaml to the folder on the server where the SimpleSAMLphp files where placed. In my case:

To conclude the preparation enable the saml_idp module and rebuild the cache.

Configuration

Copy the files 'config.php' and 'authsources.php' from the subdirectory /vendor/simplesamlphp/simplesamlphp/config-templates to the subdirectory /vendor/simplesamlphp/simplesamlphp/config (create the subdirectory when it does not exist yet).

In the new 'config.php' file change the values of the following $config array items:

'auth.adminpassword' to another value (for security reasons SimplSAMLphp will not work when you do not reset this value).

The content of 'saml20-sp-remote.php' is dependend on the URL of your Service Provider (SP). So you will need to change the values of 'AssertionConsumerService' and 'SingleLogoutService' to reflect the correct URL's for your SP:

The above settings are for a Drupal SP that uses the module saml_sp. The Entity ID setting for this SP module would be 'http://idp.dev/simplesaml/saml2/idp/metadata.php' and the App name should be 'http://spvm.dev/user'. The App name defined in the metadata usually reflects the URL of the SP.

The settings for IdP Login and Logout URL for the SP will be 'http://idp.dev/simplesaml/saml2/idp/SSOService.php' and 'http://idp.dev/simplesaml/saml2/idp/SingleLogoutService.php' (replacing 'idp.dev' to match the actual URL of your IdP).

What remains is the creation of your certificates. For this create the subdirectory /vendor/simplesamlphp/simplesamlphp/cert and in this subdirectory start the creation of your certificates from the command line with:

The file content of 'server.crt' can be given to the SP for its configuration.

Concluding remarks

One major drawback of the above configuration is that the configuration files were being placed in the vendor directory. How to solve this issue will be shown in my next blog post. Another issue is that the Drupal 8 saml_idp is less configurable than its Drupal 7 counterpart. How to override the saml_idp module will also be handled in the next blog post.